[Cordova Wiki] Update of "BugtraqResonseDraft" by JoeBowser

[Apache Wiki <wi...@apache.org>]

Dear Wiki user,

You have subscribed to a wiki page or wiki category on "Cordova Wiki" for change notification.

The "BugtraqResonseDraft" page has been changed by JoeBowser:
https://wiki.apache.org/cordova/BugtraqResonseDraft

Comment:
Initial Draft

New page:
This is a draft response to the Bugtraq Public Disclosure done by Martin Georgiev, Suman Jana and Vitaly Shmatikov at the University of Texas in Austin.

A month ago, we received a security disclosure regarding alleged Security Issues with Apache Cordova on Android, namely the issues with the Whitelist
not working for various documents referenced by HTML pages.  That being said, this is a known vulnerability that we explicitly documented in the PhoneGap
and Cordova documentation since Cordova 3.2.0.

http://cordova.apache.org/docs/en/3.3.0/guide_appdev_whitelist_index.md.html#Whitelist%20Guide

Given the fact that Gingerbread is API 10, and the fact that Google and device manufacturers are no longer actively maintaining this version of Android, we feel that this is an appropriate response.  If you need your application to be secure from attacks on Gingerbread, we recommend setting your minimum SDK level higher than 10, since Gingerbread is not a safe or secure platform.

In addition to this, when developing an application, everything that is loaded into the WebView on Cordova has trusted access to the Cordova API.  This includes third-party ad networks.  We recommend not using any web advertisers in this manner in your application, since this is not trustworthy and to use third-party plugins to handle advertiser content, since web advertisements are not meant for mobile applications and not only are they a security issue, they offer a very poor user experience.

In addition to this, other claims were brought that were not security related.  This includes

''PhoneGap’s domain whitelisting on Android (API 11 or higher) and iOS does not adhere to the same-origin policy.  Third-party scripts included using <script> tags are blocked unless their source domain is whitelisted, even though these scripts execute in the origin of the hosting page, not their source origin.''

This is by design.  All content is blocked if it does not come from a whitelisted domain to prevent non-trusted domains to get access to the Cordova API.  This includes advertising networks.  This further makes the point that web-based advertising networks should not be used with Cordova.  Again, The purpose of Cordova is to provide web developers the ability to make hybrid apps in a native context on the web.  The use case is to NOT display web pages, and not display web advertiser content.

We welcome security submissions, but we request that when presenting a solution that the git history of the project remain intact.  We have not been able to easily review the changes, since they were done on an old major version of Cordova on a repository with the history removed, making it difficult for us to port any of these changes.  We do not know if this was done intentionally, but we prefer that patches be submitted either by e-mail or a github pull request.